Hello Hackers,
This time I am going to discuss an OTP leaking vulnerability that leads to account takeover in an e-commerce website.
Let’s Start
What is OTP?
A one-time password, also known as a one-time PIN, one-time authorization code or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device
(source: wikipedia)
While searching for a bug bounty program on google, I got an e-commerce website. I started to check the website’s register and login page, I intercepted the requests and started searching for any sensitive data but I didn’t find anything.
After I registered an account and while trying to login, then I figured out the interesting thing on that website. I should have found the vulnerability in the register page itself.
Let’s Discuss it
After Registration, there were two options to login: with the password or with OTP
I used Login with OTP, entered the registered number, and clicked LOGIN WITH OTP
Then I checked the cookies, there is a new cookie appeared ‘otpcookies’ with the OTP value.
I entered the OTP and validated it.
We successfully loggedin to the account.
We can takeover any account by knowing their mobile number only. We can use the same method to register the account, and the most interesting part was there was no validation of mobile number and email id, which means we can register even with non-existing numbers and emails. These all happened on an e-commerce website 🙁
I reported the issue to the admin and they responded within hours, and accepted the bug. After that no response from their side and no updates till now. Let’s wait.
Thank You For Reading ….
Twitter: https://twitter.com/ag3n7apk
Linkedin: https://www.linkedin.com/in/abhijith-pk-ag3n7/
Nathan Wenz Jan 17, 2023 at 10:28 am
I had no idea that OTP leaking was such a big problem. Your article really opened my eyes to the dangers of an account takeover and how easily it can happen. I’ll definitely be more cautious in the future.
Jessica Loton Jan 17, 2023 at 10:28 am
Great article on OTP leaking and how it leads to account takeover. It is alarming to see how easily hackers can gain access to our personal and financial information by exploiting these vulnerabilities. Thanks for educating us on how to stay safe. Worth the read.
Petra Přibylová Jan 17, 2023 at 10:28 am
As someone who works in IT, I appreciate the thoroughness of this article on OTP leaking and account take over. It’s important for both individuals and businesses to understand the risks and take steps to protect themselves.